The arrest amid Britain's rocky Shetland Islands of a supposed LulzSec member shocked many. The police believe the man to be Topiary -- but he hasn't yet been officially charged. (Source: iTravel Magazine)

It's possible that Topiary is neither the arrested man or Daniel Sandberg. Or it's possible that either of them is the real deal. (Source: Flickr/Skepchick)

Evidence points in many directions -- hopefully the truth will surface as the police investigation proceeds

Citing a police statement, multiple news agencies reported on Wednesday afternoon that British police had arrested the hacking superstar who goes by the alias "Topiary", one of the masterminds behind hacking giants LulzSec [1][2][3][4][5][6][7] [8][9][10][11][12][13][14][15]. But the picture is far less clear than some media outlets portrayed initially.

I. Social Engineering, Blurring the Line Between Reality and Misdirection

The first thing to remember is that perhaps the most important hacking art is social engineering. Social engineering holds the key to many of history's biggest hacks, and it holds the key to hackers avoiding law enforcement -- at least for a time.

Social engineering, is essentially "people exploitation" (also known as manipulation) -- duping someone into believing something that works to your advantage. Thus we arrive at the compelling problemin the arrest of the alleged Topiary and the ensuing media coverage thereof.

Almost surely Topiary -- the spokesperson for LulzSec and reportedly a key force in planning attacks -- like the rest of LulzSec's elite was a master social engineer. Anyone in the world knew that following (his/her) role in the group's high profile attacks, that international authorities would be pursuing (his/her) vigorously. This individual would likely concoct one or more fake identities to try to throw authorities of their trail.

The answer -- and the point we were tried to raise in our previous piece -- is no one knows yet.

In their brief statement, the UK police indicate that they believe the man to be Topiary. Of course, that's only an unproven allegation at this point. It's also not unusual for police to misidentify the suspect -- in everyday crime cases, let alone a case of this nature. So it's far too early to the police definitely caught Topiary -- particularly when the Scottish suspect hasn't even been charged with anything yet.

Yesterday we presented some evidence that suggest that the true LulzSec Topiary may have misled authorities into arresting a well-known internet troll. Again, it is unclear whether this was simply more misdirection, or whether it was accurate. What is clear, is that it provides compelling evidence to give pause to speaking in absolutes about the arrest.

Of the widely available evidence, the weakest is arguably the supposed "doxing" of Topiary by LulzSecurityExposed who claims him to be a 23-year-old Swede named Daniel Akerman Sandberg. While a possibility that should not be discounted, it seems quite likely that Mr. Sandberg is also not Topiary. He could be yet another misdirection ploy by Topiary.

The blog never published its methodology in obtaining this information. So it's fair to consider it highly suspect.

Further Mr. Sandberg himself has reportedly responded to a Gawker interview request (for the record, we tried contacting him via Skype and were unable to reach him earlier or confirm, in this follow up, Gawker's claims), in which he admitted to being a member of LulzSec parent org. Anonymous, but denied being a hacker.

Another piece of evidence -- a chat log indicating that the real Topiary was framing the Scottish Topiary comes from th3j35t3r ("The Jester") -- a hacktivist who's shown himself to be skilled in the past in his attacks on Wikileaks and other tough targets.

It's important to remember that these logs are distinct from the "doxing" by LulzSecurityExposed. It's clear from the comments from the name-redacted chatter that whoever was speaking with Topiary was familiar with the Dox. But Topiary never acknowledges this suggestion directly, so it's unclear whether he was even promoting that notion. What he was clearly promoting was the idea that the UK Topiary wasn't the real deal.

The confusing thing is that's exactly the kind of thing an individual would say if they were trying to frame somebody -- or trying to make it look like they were framed. Which is the case is unclear.

We have to presume he's innocent until proven otherwise. He hasn't been charged with any offences yet, and at the moment is just being questioned by the authorities.

I'm pretty sure that the police must have been pretty confident that they had evidence that the man they arrested was "Topiary" if they were prepared to name him as such in their press release.

If the man is connected in any way with criminal hacking activities and denial-of-service attacks I would expect him to start singing like a canary pretty quickly. You may be idealistic when young, but when the hard truth of the seriousness of the situation hits you, anyone with half a brain will realise that the only sensible course of action is to co-operate with the authorities.

So, if you ask me if I think that an unnamed man, arrested in an unnamed street, is guilty of crimes which I wasn't present at then I'm going to have to say "pass". Your guess is as good as mine.

I can't look into a crystal ball and magic up the proof for you, one way or another.

That said, even if Topiary doesn't "sing" -- as Mr. Cluley humorously puts it -- if the arrested man is indeed Topiary, there will likely be evidence of his activities on his computer systems. That is, unless he physically destroyed it.

Disposing of hard drives, etc., is commonplace among hackers looking to cover their trail. So its perfectly possible that Topiary's systems may come up clean (unless the hacker was careless). Topiary's former hard drive may be lying at the bottom of some Scottish bay.

Chalk that up as one more unknown at present in the tale of Topiary.

Comments

Threshold

Username

Password

remember me

This article is over a month old, voting and posting comments is disabled

Part of the cool thing is, if this guy was a random troll the ISP logs or his HDD will probably show that. (May even show his fight with "Topiary.") If he was encrypting and TORing all of his traffic, it'll show that and at least raise red flags (not saying that makes you guilty, but probably worth watching.) Also, with encryption/TOR you have to be pretty vigilant, so you don't expose yourself accidentally or through side channels. Encryption is great, until you SMS the wrong person etc.